Route-map not sending traffic over vpn.

I'm trying to route all web traffic over a site to site ipsec vpn. The vpn is up and running with no issue. The issue I've been struggling with is that I have a route-map statement that is seeing the correct traffic but for some reason its not being flagged by the cryto map statement. Which means the web traffic is heading out my default route and not over the vpn.

I think I'm close but I must be missing something. For the acl 155 statement I"ve also tried any any eq web. I can ping the 192.168.10.1 address from the router only if i source it from the fa0/0 interface. I can ping it from all machiens on then 192.168.30.0/24 network.

My question is what is wrong with my route-map statment that is keeping me from pushing web traffic out the vpn.

Route-map not sending traffic over vpn.

I tried that. Same thing. I'm verifying by doing a show crypto ipsec sa and the counters don't increase. If in a browser I go to http://2.2.2.2 it works, I get an apache page and the encaps/decaps go up. All regular web traffic still goes straight out to the web skipping the vpn altogether.

Route-map not sending traffic over vpn.

Now I'm totally lost. I removed it and as expected web traffic is not passing through the vpn.

If you remove that policy then how does the router know what to do with port 80 traffic? Something has to tell it to make its next hop the remote side.

If I'm on the 192.168.30.0 side and go to say www.google.com the router will look at that and immediately nat me and push me out my 0.0.0.0 0.0.0.0 route directly to the internet. I need it to take all web requests, and point them out the remote side as the gateway. So its leaving for the internet from 2.2.2.2. Thats why I assumed I needed to PBR to it would set the next hop on that interesting traffic, all web requests, then once the next hop was set to 192.168.10.1 the crypto map would match it and send it along.

Does that make more sense?

What I'm trying to accomplish.

www request--->192.168.30.1----VPN----192.168.10.1 ----- NAT 2.2.2.2 --- Out to the internet..

Route-map not sending traffic over vpn.

I changed the ACL. When doing a show crypto ipsec sa I now see 3 protected vrf's matching the 3 acl statements. I'm not seeing the encap counter go up at all on either 80 or 443 and I can still get to the internet through my normal gateway.

Not only that but I did a tcpdump tcp 80 on both interfaces of the remote side and both were 0, that makes me think there is no traffic getting there.

In the bigger picture won't I need something telling all the web traffic that it's next hop is 192.168.10.1 since that is the interface on the remote side that it needs to hit to be nat'ed correctly?

This might be a bit easier if the other side were another cisco and not an Openswan instance.

I'm not sure how to proceed here. What if any other counters should I be looking at here? I know the VPN is up and functioning, now it's just trying to get the correct traffic across it,.

Route-map not sending traffic over vpn.

In the bigger picture won't I need something telling all the web traffic that it's next hop is 192.168.10.1 since that is the interface on the remote side that it needs to hit to be nat'ed correctly?

The access-list you use with your crypto map is what tells your router which packets to send via the VPN. So as long as both ends match ie. the same traffic is matched at both ends for sending down the VPN tunnel then you don't need to add anything in terms of routing or PBR.

As already mentioned you need to make sure that the other end of the VPN is also configured for the same traffic.

Route-map not sending traffic over vpn.

I'm wondering at this point if I'm going about this the wrong way. My goal here is to use my remote endpoint as my gateway to the web. Encrypt all web traffic leaving this site, traverse VPN, get to the other side then decrypted and out to the web.

I think I understand what is not working here but I have no idea how to make it work. The VPN is created between 2 real ip's. 1.1.1.1 and 2.2.2.2. That gives visibility from one internal subnet to the other. 192.168.30.0 and 192.168.10.0. That works. I can ping back and forth happily from internal to internal.

So if by just flagging port 80 traffic as interesting traffic and pushing it across the VPN that doesn't solve this issue.

That's why I was going with the policy based routing. I figured that by setting next hop of 192.168.10.1 it would basically say "Oh someone from 192.168.30.0 wants a web site, well their gateway is 192.168.10.1 so we'll send them there, AND since I see by our crypto map we have to encrypt that over the VPN we will. " That traffic would then hit 192.168.10.1 and be decrypted, NAT'ed out the external addy on that side, 2.2.2.2 and off to the webserver of choice. I'm guessing this thinking is wrong since it didnt work.

I think maybe I'm missing a concept here.

If the ACL's didnt match then the tunnels would never come up. Secondly even if the acl on the other side was wrong I should still see the encap counter go up each and every time I try to hit a web site becuase it should be trying to send that across the vpn correct? At least if that number was going up then I'd know it would be somethign on the other end.

Due to the other side not being cisco there really are not any acls persay. I'm running iptables but I've opened them wide up to make sure that wasnt it. As for the ipsec config that's irrelevant isnt it since the tunnels are up and functioning, Here is the config just in case it matters, it's short.

conn IOF

authby=secret

type=tunnel

left=2.2.2.2

leftsubnet=192.168.10.0/24

leftid=2.2.2.2

right=1.1.1.1

rightsubnets=192.168.30.0/24,0.0.0.0

rightid=1.1.1.1

esp=aes192-sha1

keyexchange=ike

ike=aes192-sha1

phase2=esp

salifetime=43200s

pfs=yes

auto=start

dpdaction=restart

So if there is an easy way to accomplish this I'd love to hear it. If not I'm not even sure what to debug. I'm stuck on the fact that the encap # doesnt move past 0 which to me says that its not getting anything to encrypt.

Re: Route-map not sending traffic over vpn.

Bruce

Can you try modifying your NAT statement. At the moment it is only not doing NAT if the destination IP is 192.168.10.x but the destination for the internet is any so in your NAT access-list you need to add statements for http/https and whatever else. So what is happening is the router does NAT on your source IPs and then the traffic does not match the access list used in your crypto map. So you would need something like -

ip access-list extended NAT

deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255

deny ip 192.168.30.0 0.0.0.255 any eq http

etc.. for any specific ports you want to go via the VPN to the internet

Enterprise Switching Business Unit is glad to announce Beta release 16.12.2 for all Catalyst 9200/9300/9400/9500/9600 and Catalyst 3650/3850 Platforms. This release is made available to allow users to test, evaluate and share fee...
view more

Purpose of the document
This document describes the general recommendations or best practices when designing and deploying the Cisco SD-Access technology. The document assumes that the reader has a general overview of Cisco's SD-Access for Distributed C...
view more

Do you currently have hands-on networking experience? If you do, we'd love to hear from you!
Your feedback will be reviewed and analyzed by our team to directly influence a networking management and monitoring product.
Take the 20-min or les...
view more